This news is already a week old, but it only got submitted to us today, and I didn't notice it all. As it turns out, two malicious software packages had been uploaded to GNOME-Look.org, masquerading as valid .deb packages (a GNOME screensaver and theme, respectively).

In a general way I wasn't really arguing with you. My problem was "If you do this, you are safe". Its not that cut and dried. For example, debian has an extensive testing, maintenance, and QA process they follow, with checks built in to the package manager to prevent tampering, slackware is basically stuff pushed up to an FTP, and then mirrored out. I would trust debian a heck of a lot more then slack. (not to say I wouldn't trust slack, just that debian has more focus on this, and is more then one guy)

The same trust thing is true on windows, if you download something anonymously off of an anonymous torrent site, I would have a very low level of trust. If you download something off of source forge, I would have a much higher level of trust, although significantly less then from debian, and would probably verify the signature before installing it on a server. If I download something from Microsoft.com I would actually hope to get a virus, since they would probably be will to pay a lot of money to shut me up due to how much they have on the line ;-)

Too many people just want magic bullet solutions, and assume they are safe. It doesn't matter how many security products you have on windows, whether or not you use linux, or how you download your files. There is always a chance of bad things happening, it is all about doing things to lower the risk, and never just assuming you are safe.

In a general way I wasn't really arguing with you. My problem was "If you do this, you are safe". Its not that cut and dried. For example, debian has an extensive testing, maintenance, and QA process they follow, with checks built in to the package manager to prevent tampering, slackware is basically stuff pushed up to an FTP, and then mirrored out. I would trust debian a heck of a lot more then slack. (not to say I wouldn't trust slack, just that debian has more focus on this, and is more then one guy) The same trust thing is true on windows, if you download something anonymously off of an anonymous torrent site, I would have a very low level of trust. If you download something off of source forge, I would have a much higher level of trust, although significantly less then from debian, and would probably verify the signature before installing it on a server. If I download something from Microsoft.com I would actually hope to get a virus, since they would probably be will to pay a lot of money to shut me up due to how much they have on the line ;-) Too many people just want magic bullet solutions, and assume they are safe.

This is all perfectly fair enough.

It doesn't matter how many security products you have on windows, whether or not you use linux, or how you download your files. There is always a chance of bad things happening, it is all about doing things to lower the risk, and never just assuming you are safe.

Here is where we diverge. It does matter, very much, how you go about getting the software on to your system.

If you stick to a system where the whole process, from whoa to go, from source code text editor all the way through to "click apply" for installing the software on the end user's system, is auditable and visible to many eyes who use (but who did not write) that code, then you can be safe.

If you routinely deal with a binary-blob system where no-one but the original authors (who just may be malicious) ever has visibility into the code, then you will be quite likely to get malware.

It is a mindset thing, it is a paradigm. Windows itself is all-too-firmly in the latter camp (even if the code from Microsoft itself can be trusted). Expect to get burned.